Bilinear pairings on elliptic curves 

Andreas Enge* 
14 December 2012 



Abstract 

We give an elementary and self-contained introduction to pairings on elliptic curves over 
finite fields. For the first time in the literature, the three different definitions of the Weil 
pairing are stated correctly and proved to be equivalent using Weil reciprocity. Pairings 
with shorter loops, such as the ate, atei, R-ate and optimal pairings, together with their 
twisted variants, are presented with proofs of their bilinearity and non- degeneracy. Finally, 
we review different types of pairings in a cryptographic context. This article can be seen 
as an update chapter to A. Enge, Elliptic Curves and Their Applications to Cryptography - 
An Introduction, Kluwer Academic Publishers 1999. 

1 Introduction 

A bilinear pairing e maps a pair of points (hence the name "pairing") on an elliptic curve E, 
defined over some field K, to an element of the multiplicative group of a finite extension of K. 
Moreover, the map is a homomorphism of groups (or, equivalently, Z-modules, hence the "linear") 
in both its arguments (which explains the "bi"). This implies 

e(aP, bQ) = e(P, Q) ab 

for all points P and Q on the curve and integers a and b. 

Bilinear pairings transport the discrete logarithm problem from a curve defined over a fi- 
nite field into the multiplicative group of a finite field; consequently, they have first been sug- 
gested as a means of attacking cryptosystems by computing discrete logarithms on certain 
curves |MOV93l |FR94 . First constructive cryptographic applications have been described in 
[JouOOl ISOK001 IBFOlj . and since then, the number of publications introducing pairing-based 
cryptographic primitives has exploded. A new annual conference series, Pairing, is devoted to 
the topic |T()()()071 lGP08l ISW091 [JMOTO] . 

This document provides a self-contained introduction to pairings and aims at summarising 
the state of the art as far as the definitions of different pairings and their cryptographic use are 
concerned. While being as accessible as possible, we do not sacrifice mathematical rigour, in the 
style of |Eng99| , of which the current article can be seen as an update chapter. While most of the 
following holds over arbitrary perfect fields, we limit the presentation to the only case of interest 
in the cryptographic context, namely K being a finite field ¥ q with q elements. Pairings can be 
defined in Jacobians of arbitrary curves or, more generally, in abelian varieties. However, due to 
recent progress in solving the discrete logarithm problem (see the survey |Eng08| ) , only elliptic 
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curves and hyperelliptic curves of genus 2 appear to be suited for cryptography. The problem 
of finding suitable instances is not yet solved in a satisfactory way for the latter, so we consider 
only elliptic curves in the following. 

An excellent survey is given by Galbraith in |;G al05j . We complement his presentation by 
concentrating on the Weil pairing instead of the Tate pairing and by reporting on progress made 
after the publication of |Gal05| concerning pairings with shorter evaluation loops. 

2 Elliptic curves and Weil reciprocity 
2.1 Divisors and group law 

We assume the reader to be familiar with basic algebra, in particular with finite fields. For 
proofs of the following facts on elliptic curves, see |Sil861 |Eng99| . Other sources for the use 
of elliptic curves in cryptography are [CFA + 06l IBSS99) . Let K = V q = ¥ p m be the finite 
field of characteristic p with q elements. In several places, we consider the algebraic closure 
K for convenience; this could be replaced by a sufficiently large extension field to contain the 
coordinates of all points under consideration. An elliptic curve over K is given by a non-singular, 
absolutely irreducible long Weierstrafl equation 

E :Y 2 + (aiX + a 3 )Y = X 3 + a 2 X 2 + a 4 X + a e 

with a.i G K. If p ^ 5, the equation can be transformed into short Weierstrafi form in which 
all but 04 and a$ vanish. The points on E are given by the affine points (x, y) G K 2 satisfying 
the equation, together with a projective point at infinity 0. The coordinate ring of E is the 
ring K[E] = K[X,Y]/(E) of polynomial functions, its function field K(E) = K(X)[Y]/{E) = 
{a(X) + b(X)Y : a,b G K(X)} is the set of rational functions from E to K U {oo}; the value oo 
is reached when the function has a pole in a point. It turns out that the points on E are in a 
one-to-one correspondence with the discrete valuation rings of K(E), given by the rings Op of 
functions that do not have a pole in P. 

The set E(K) of points on E with coordinates in K (including 0) can be turned into a finite 
abelian group via the tangent-and-chord law: is the neutral element of the group law, and 
three points on a line sum to 0. The only delicate point in proving the group law is associativity; 
the simplest proof (that also generalises to other curves) uses divisors, which are needed anyway 
to define pairings. Let 

Div(-E) = \J2n P [P} : P e E{K) , np G Z, only finitely many n p are non-zero 
I p 

be the free abelian group over the points on E, define the degree of a divisor as the sum ^ np 
of its coefficients, and let Div°(E) be the subgroup of Div(-E) consisting of divisors of degree 0. 
To a rational function / G K(E), associate its divisor div(/) = J2 P ordp(/)[P], where ordp(/) 
is the valuation of / with respect to Op, that is, ordp(/) > if P is a zero of /, ordp(/) < if 
P is a pole, and ord P (/) = otherwise. Let Prin(^) = {div(/) : / G K(E)} C Div°(£) be the 
set of principal divisors. Then the quotient Pic°(i?) = Div°(_E)/ Prin(iS) is evidently a group, 
and it can be identified with E{K) via P h-> [P] — [0], which maps to the neutral element O. 

Let ~ denote equivalence modulo Prin (E). The geometric tangent-and-chord law is recovered 
as follows. For a point R = (xp,yp), let 

v R = X - xr (1) 
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be the vertical line through P. Then div(ufl) = [R] + [R] — 2[0] ~ with R = (xp, —yp — aixp — 
as), so that — R — R. For two points P — (xp,yp) and Q = {xq,Vq) with Q ^ — P let Ip^q be 
the chord through P and Q if P 7^ Q or the tangent at P if P = Q: 



3x 2 p +2a,2Xp+a4 
2y P +a 1 xp+a 3 

(Y - y P ) - X PtQ {X 



if P^Q 
if P = Q 

- x P ) 



(2) 



Then £p_q intersects E in a third point R = (xp, yp) 7^ 0, and div ^^^"J = div(^pQ)— div(vp) = 

([P] + [Q] + [R] - 3[0]) - ([P] + [P] - 2[0]) - [P] + [Q] - [P] - [0] - implies that P + Q = R. 
By induction, this proves the following characterisation of principal divisors. 

Theorem 1 A divisor D = Y] P Tip \P] is principal if and only if degD = and ^ p npP = 
on E. The function associated to a principal divisor is unique up to multiplication by constants 
inK*. 

It is often useful to assume the following normalisation. 

Definition 2 The leading coefficient of a function f at is 

(/ y\ -ord (/) \ 
[y ) f ) (0) - 

A function f is monic at iflc(f) = 1. 

In particular, the lines vp and ip,Q given above for the tangent-and-chord law are monic at 0, 
and this implies that the functions computed in Algorithm II II will also be monic at 0. 



2.2 Rational maps, isogenies and star equations 

Let E, E' be two elliptic curves over the same field K. A rational map a : E — > E' is an 
element of E'(K(E)). Explicitly, a is given by rational functions in X and Y that satisfy the 
Weierstrafi equation for E'. Unless a is constant, it is surjective. If a(0) = 0', then a is in fact 
a group homomorphism, and it is called an isogeny. If furthermore E — E' , then a is called an 
endomorphism. The endomorphisms that are most important in the following are multiplications 
by an integer n, denoted by [n]. 

A non-constant rational map a : E — > E' induces an injective homomorphism of function 
fields a* : K(E') — > K(E), f H> /' o a; the degree of a is the degree of the function field 
extension \K(E) : a* (K(E'))]. For instance, deg([n]) = n 2 . If a is an isogeny, there is another 
isogeny a of the same degree, called its dual, such that a o a = [dega]. 

For a point P G E and P' = a(P), there is an integer e Q (P), called ramification index, 
such that ordp(a* (/"')) = e a (P) ovdp'(f') for any /' e K(E'). When a is an isogeny, e Q (P) is 
independent of P. In this case, we have deg a — e a ■ #(ker a), and two extreme cases can occur: If 
e a = 1, then a is called separable; in particular, [n] is separable if p \ n. If #(ker a) = 1, then a is 
(up to isomorphisms) a power of the purely inseparable Frobenius endomorphism (x, y) M- (x q , y q ) 
of degree and ramification index q. An arbitrary isogeny can be decomposed into a separable 
one and a power of Frobenius, which is often convenient for proving theorems. 
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The ramification index allows to define a homomorphism a* : Div(_E') — > Div(E) on divisors 

by 

<**([p'])= E e «( p )t p ] 

in such a way that the maps a* on functions and divisors are compatible; the proof follows 
immediately from the definition of e a . 

Theorem 3 (Upper star equation) // a : E —> E' is a non- constant rational map and f G 
K(E'), then 

a* (div(/')) = div(a* (/'))• 

On the other hand, the map a* : Div(i?) — > Biv(E') is defined by a»([P]) = [a(P)]. A 
corresponding map on function fields K(E) — > K(E') can be defined by 



a 



'(/) = ( a *) _1 (^K(E)/a*(K(E'))(f)) 



where N denotes the norm with respect to the function field extension. The map a* is well- 
defined because the norm is an element of a*(K(E')), so that a preimage exists, and because a* 
is injective, so that the preimage is unique. 
It is shown in |CC9f)l (18)] that 

^K{E)/a'(K(E'))(f) = ( II if **)) > ( 3 ) 

\_R6kcr a / 

where tr is the translation by R; the product accounts for the separable, the exponent for the 
inseparable part of the isogeny. This can be used to show the following result: 

Theorem 4 (Lower star equation) If a : E —> E' is a non-constant rational map and f £ 
K(E), then 

a*(div(/)) = div(a,(/)). 



2.3 Weil reciprocity 

The key to the definition of pairings is the evaluation of rational functions in divisors. For 
D = ^ p np[P] let its support be supp(Z?) = {P : np ^ 0}. The evaluation of a rational 
function / in points is extended to a group homomorphism from divisors (with support disjoint 
from supp(div/)) to K* via 

/(e™h p ]) =n/( p ) np - 

In order to handle common points in the supports, let the tame symbol of two functions / 
and g € K(E) be defined as 

/ ford r (g) \ 
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Theorem 5 (Generalised Weil reciprocity) If f , g g K(E), then 

\{_{f,9)p = l- 

P£E(K) 

In particular, i/supp(/) f~l supp(g) = 0. then 

/(divg) = 5 (div/). (4) 

For a proof, see [CU901 §7]. 

3 Weil pairing 

Let E[n] = {P e E(K) : nP = 0} = ker([n]) be the set of n-torsion points of E, which are not 
necessarily defined over K. For future reference, we denote by E(K)[n] = E[n] tlE(K) the set of 
points of E[n] defined over K. From now on, we will assume that gcd(n,f>) = 1; then the group 
E[n] is finite and isomorphic to Z/nZ x Z/nZ. The field L obtained by adjoining to K = ¥ q all 
coordinates of n-torsion points is thus a finite field extension ¥ q k , and k is called the embedding 
degree of the n-torsion. We have L D K (d), where £ ra is a primitive n-th root of unity, and 
equality holds in the case of main cryptographic interest, namely that n is a prime and n \ q — 1 
by [BK98, Th. 1]. Then k is the smallest integer such that n \ q — 1. 

Theorem 6 The Weil pairing is a map 

e n : E[n] x E[n] -> u C L* , 
where fi is the set of n-th roots of unity in L, satisfying the following properties: 

(a) Bilinearity: 

e n (Pi+P2,Q) = e n (P 1 ,Q)e n (P 2 ,Q), 

e n (P,Qi +Q 2 ) = e n (P,Q 1 )e n (P,Q 2 ) VP, Pi, P 2 , Q, Qi, Q 2 e E[n}; 

(b) Identity: 

e„(P,P) = l VPeE[n]; 

(c) Alternation: 

e n (P;Q)^e n {Q.P)- 1 VP,QeE[n}; 

(d) N on- degeneracy: For any P g i?[n]\{0} ; there is a Q £ E[n], and for any Q G i?[n]\{0}, 
there is a P € E[n] such that e n (P, Q) 7^ 1; 

(e) Compatibility with isogenics: 

e n (a(P),a(Q)) = e n (P,Q) d ^ a , 
e n (P',a(Q)) = e n (a(P'),Q) 

for P, Q € E[n], P' G E'[n] and a : E — > E' a non-zero isogeny defined over L. In 
particular, a may be the Frobenius endomorphism on E of degree q. 

In the literature, there are in fact three equivalent definitions of the Weil pairing, and de- 
pending on which one is chosen, the different properties are more or less easy to prove, the 
most intricate one being non-degeneracy. In the following, we show equivalence of these defini- 
tions, which is also non-trivial and makes intensive use of Weil reciprocity, and we prove the five 
properties of the Weil pairing using for each the definition that yields the easiest proof. 
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First definition of the Weil pairing QSil86, §111.8], |Eng99, §3.7]). For P e E[n], con- 
sider D = [n}*([P] - [0]) = Efl G B[n]([ P o + R}~ [R]), where P is any point such that nP = P. 
By Theorem[TJ D is principal; let gp be such that div gp = D. Let again tq : Rt-> R + Q denote 
the translation by Q € E[n]. Then 

e„(P,Q) = ^^. (5) 

gp 

While gp is defined only up to multiplication by non-zero constants, the quotient is a well-defined 
rational function. Since div(gp o tq) = div(Tg(gp)) = Tq (div gp) by Theorem [3] and the latter 
divisor equals 

([Po + R~ Q]-[R-Q]) = div g P 

R£E[n] 

for Q G E[n], the Weil pairing yields indeed a constant in K. That it yields an n-th root of unity 
follows from bilinearity 

Proof of Theorem [6](a): Using (c), proved below, it is sufficient to show linearity in the second 
argument, which follows from the definition: 

P (pn+n\ 9P°r Ql+Q2 ( g P QT Ql \ g P o t Q2 



gp V 9p J gp 

= e„(P, Qi)e n (P, Q2) since the constant e„(P, Q\) 
is invariant under tq 2 . 

□ 

Proof of Theorem [6](d): We sketch the approach of |Eng99| Prop. 3.60]. Using (c), it is 
sufficient to show non-degeneracy with respect to the first argument. For P € E[n], suppose that 
e n (P,Q) = 1 for all Q € E[n]. This means that is invariant under translations by all Q € 
E[n] = ker([n]), so that all conjugates of gp with respect to the field extension K (E) / [n]* (K (E)) 
are gp itself, see ((SJ). Hence, there is a function fp such that gp = [n)*(fp). By Theorem [3l this 
implies that div fp = [P] — [0], which by Theorem Q] implies P = 0. □ 
Proof of Theorem [6](e): As a homomorphism, a commutes with [n], and being surjective, it 
acts as a permutation on E[n]. So 



div( 5ct( p)) = (W P o) + P]-[P]) 

B.£E[n] 

= (I a ( P o) + a(S)} - [a(S)}) where R = a(S) 



S£E[n] 

= a* (div (g P )) 

= div(a»((7p)) by Theorem |4] 

This implies g a (p) — ca*(gp) for some c € K* , and 

" " (6) 



g a (P) " = <y*{g a(P) ) = c I Y[ (gp OT p)\ 

\i?ekera / 



G 



by ©. Hence, 



e n (a{P),a(Q)) = e„(a(P), a{Q)) o a = oa = 

9a(P) 9a(P) ° a 



n f^^Wl a = e n(p,Q)-- #(kera) 



\i?,£kcr a 

= e„(P,Q) dc s a . 

Concerning the second equation, let P be such that a{P) = P'; then a(P') = (d o oj)(P) = 
(dega)P, and 

e„(d(P'), Q) = e„(P, Q) dcgQ = e„(a(P), a{Q)) = e„(P', a(Q)). 

□ 

Second definition of the Weil pairing. For P,Q E E[n}\{0}, P =^ Q, let fp and /q be 

such that div/p = n[P] — n[0] and div/g = n[Q] — n[0], which is possible by Theorem [TJ Then 

e n (P,Q) = (-l)«- ^M.g(o); (7) 
if /p and /q are chosen monic at as in Definition [3J then 

e „ ( P, g) = ( _ ir .w«l. 

For P = Q or one or both of P and Q being 0, the definition needs to be completed by 
e„(P,Q) = l. 

Remark 7 This definition is the most suited one for computations, see Alaorithm \ll\ The factor 
(— 1)" is often missing in the literature. 

Proof of equivalence of the two definitions: We essentially follow [CC90, §10]. Assume 
that e„ is defined as in ([3]). 

Let Pq and Qo be such that uPq = P and nQo — Q. Let gp be the function, monic at 0, 
such that 

div( 5P )= ([Po + R]-[RD, 

R£E[n] 

and similarly for gQ. 

If p = 0, we may take Pq = 0, which shows that go = 1 and e„(0, Q) = 1. If Q = 0, then 
tq = id, and e„(P, 0) = 1. So from now on, P, Q ^ 0. 
Let /iq be the function, monic at 0, such that 

divh Q = (n - 1)[Q ] + [Qo - Q] - n[0], 

which exists by Theorem[TJ and let Hq = Y[ReE[n](^Q ° t r)- By comparing divisors and leading 
coefficients, Hq = Ic(Hq) ■ g~Q. 

By generalised Weil reciprocity of Theorem [5j we have 

]J (gp,h Q ) s = i. 

£?£supp(div <?_p)Usupp(div Jiq) 
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If P 7^ Q, then supp(div gp) n supp(div Iiq) — {0}, and we easily compute the different 
contributions of tame symbols. 

{gp,h Q ) Qa = 3p _1 (Qo) 

(gp, h Q)Q -Q = gp(Qo-Q) 

(gp, h Q ) Po+ R = h Q \P + R) for R G E[n] 
(g P ,h Q ) R = h Q {R) for R e E[n]\{0} 

{gp,hq}o = (— 1)" — (0) = (—1)™ since gp and Hq are monic at 0. 

gp 



Multiplying them together, we find that 

p(Q( 

gp(Qo) Hq(Pq) h Q 



i = gp(Qo) sp(Qo-Q) i_ ?S(o)(-i)' 



J jIL-(Q -Q)=e n (P,Q)-i Ic(Hq)-i SQ (Fo)— lc(iT Q ) 



(-1) 



g n Q (P ) e„(P,Q) 

Since div( ff £) = n[n]*([P] - [0]) = [ra]* div(/ P ), Theorem [3] implies that 

gp = c- 1 -[n]*(fp) 

with c = lc([n]*(/p)) = ((/p o [n])^-) (0). An analogous equation holds for <7q, so that 

gUQo) _ fp(Q)f<i, 



gg(Po) f Q (P) fp 



(0). 



If P = Q, then supp(div(/iQ)) C supp(div(<?Q)), and a similar computation shows that 
e n (P,P) = l. "' □ 

Proof of Theorem [6](b) : This is part of the second definition. (The only statement needing 
proof is that this also holds for the first definition, as shown above.) □ 
Proof of Theorem [6](c): This is immediate from Q. □ 



Third definition of the Weil pairing. For any degree zero divisor D such that nD ~ in 
Pic (E), we denote by fp, the function, monic at 0, such that div(/o) = nD; thus f[p]-\o] = fp- 
Choose Dp ~ [P] - [0] and D Q ~ [Q] - [0] with disjoint supports. Then 

jD Q (Dp) 

Note the similarity with 0, but also the missing factor (—1)", due to the common pole of fp 
and f Q . 

Remark 8 The third definition corresponds to Weil's original one in l 'We i40f - The first defi- 
nition is given in L f Sil86, Eng99l with the roles of P and Q exchanged, which by the alternation 
property yields the inverse of the Weil pairing. The definition with P and Q in the order of this 
paper is used in the Notes on Exercises, p. 462 of the second edition of ISU86I, as well as in 
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One needs to check that © is well-defined. Let D'q ~ [Q] — [0] be another possible choice 
instead of Dq. Then D'q = Dq + div(/i) for some function /i with support disjoint from Dp, and 
!d' q = fD Q h n , which implies 

fpp{D' Q ) = /gp(£>Q)/c J ,(div/ t ) = f Dp (D Q )f Dp (divh) = / Jp (£>q) 
/D^(fp) fD Q {D P )h{D P y f DQ (D P )h(div f Dp ) f DQ (D P ) 

by Weil reciprocity (U). By symmetry, the same argument holds when Dp is chosen differently. 
Proof of equivalence between the second and third definitions: A proof is given in 
|Mil041 Prop. 8]. The basic idea is to choose D P = [P - R) - [-R] and Dq = [Q + R] - [R] for 
some point R. Then ([8]) becomes 

f Dp {Q + R) fp Q (-R) 
f DQ (P-R) ' f Dp (R) ' 

Informally, letting R — >• 0, the first factor tends to e n (P, Q) as defined in ([7]), the second factor 
tends to (—1)". This can be made rigorous using formal groups or the Deuring lift of E to the 
field of complex numbers. 

Alternatively, one may again use generalised Weil reciprocity. Let Dp = [P] — [0], so that 
fo P = fp- Let R be such that Dq = [Q + R] — [R] has disjoint support with Dp; then 
D Q = [Q] - [0] + div(/i) with h monic at such that div/i = [Q + R] - [Q] - [R] + [0], and 
Id q = fc}h n . 

Assume first that P ^ Q. Then by Theorem [SJ 

1 = i/ 7 "'"'* = ' <- 1 >" <fr"">< l 



Then 



-Mfp) 



f Dp (D Q ) (f Q h n )(0) f P (Q + R) _Hf Q )f P (Q) f P (Q + R) 



/dq (Dp) (f Q h")(P) f P (R) f Q (P) fp(Q)h"(P)fp(R) 

, U nfp(Q) Hfo) 
{ ' Jq(p) ' ic(/p) 

by the previous equation. 

If P = Q, a similar computation shows that ([5]) evaluates to 1. □ 



4 Tate pairing 

Computationally, the Tate pairing can be seen as "half a Weil pairing"; the idea is to define it 
directly as fp(Q) instead of the quotient ([7]). Its precise definition depends on an additional 
field L such that E[n] is defined over L; usually, but not necessarily, L is chosen minimal with 
this property. 

First definition of the Tate pairing. Let P £ E[n], let Dp be a degree zero divisor, defined 
over L, with Dp ~ [P] — [0], and let /d p , defined over L, be such that div/£> p = nDp. Let Q 
be another point on E(L) (not necessarily of n-torsion) and let Dq ~ [Q] — [0] be defined over L 
of support disjoint with Dp. Then the Tate pairing of P and Q is given by 

e T n {P,Q) = } Dp {D Q ). (9) 
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Algorithm [TT] shows that fn P may indeed be defined over L, so that the pairing takes values 
in L. Notice that fp, P is defined only up to a multiplicative constant, but that this does not 
change the pairing value since Dq is of degree 0. Weil reciprocity ((H) shows that if Dq is replaced 
by Dq = L> Q + div h ~ Dq, then ^ is multiplied by h(D P ) n . Replacing D P by D' P = £> P + div h 
changes fp, P to fp>i = fD P h n and thus multiplies the pairing value by an n-th power. So the 
pairing value is well defined up to n-th powers in L. 

Finally, if Q is replaced by Q + nR with R 6 E{L), the value changes again by an n-th power. 
This leads to adapting the range and domain of as follows. 

Theorem 9 For E[n] C E{L), the Tate pairing is a map 

el : E[n] x E(L)/nE(L) -> L* / (L*) n 
satisfying the following properties as defined in Theorem \Bj 

(a) Bilinearity, 

(b) Non-degeneracy, 

(c) Compatibility with isogenies. 

Proof: Bilinearity is immediate from the definition using [Qi + Q2] — [0] ~ [Q±] + [Q2] — 2[0] 
by Thcorem[TJ so that D Qi+ q 2 = D Ql + Dq 2 and fp 1+ p 2 = fp 1 fp 2 - 

Non-degeneracy does not hold over arbitrary fields, and the proofs use the structure of the 
groups over a finite field, see [FR94[ iHefMl ISch051 IBTuTT] . 

Let a be an isogeny. We may assume that Dp and Dq are chosen so that all function values 
encountered during the proof are defined and non-zero. From the observation that -D Q (p) = 
a*(Dp), one shows as in (J6j) that 

el{a(P),a{Q)) = f Da{P) (D a{Q) ) = I [] /dp(M.(Aj)) 

\-RGkcr a 

the constant c of ([6]) disappears since fp> p is evaluated in divisors of degree 0. Now Theorem [1] 
shows that (tr)*(Dq) ~ Dq, so that each factor equals e^(P, Q), which finishes the proof. □ 
Again, an alternative definition yields a computationally advantageous form of the pairing. 




Second definition of the Tate pairing. For P 6 E[n] and Q € E(L) (representing a class 
modulo nE(L)), P, Q ^ and P ^ Q, let f P be monic at such that div(/ P ) = n[P] - n[0]. 
Then 



if fp is chosen monic as in Definition [5J 

el{P,Q) = f P (Q). 

For one or both of P and Q equal to 0, one has eJ l (P, Q) — 1. If P = Q, one may choose some 
point R £ E(L) such that nR $ {0, — Q}, if it exists, and replace Q by Q + nR. 
Proof of equivalence of the two definitions:: Letting Dq = [Q] — [0], so that fp> Q = fq, 
and Dp = [P + R] — [R] so that Dp and Dq have disjoined supports and fo P = fph n for the 
function h, monic at 0, with div(h) = [P + R] — [P] — [R] + [0], we immediately obtain 

, (n x (fph n )(Q) fp(Q)h n (Q) fp{Q) 

Jd p {Dq) - 



(/ P /i«)(0) lc(/ P ) lc(/ P ) 
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up to n-th powers. □ 
Unlike the Weil pairing, the Tate pairing is neither alternating nor identically 1 on the diagonal 
(which is hardly surprising given that its two arguments live in different sets) . On single n-torsion 
points P, it may or may not hold that e^(P, P) = 1. 

The definition of the domain of the Tate pairing as a quotient group is unwieldy in cryp- 
tographic applications, where unique representatives of pairing results are desired. It can be 
remedied by observing that L* is a cyclic group of order #L — 1 = q k — 1, which is divisible by 
n; so the map 

L*/ (£,*)"->■ /i, x^x 3 ^ 
is an isomorphism with the n-th roots of unity (i, and the reduced Tate pairing 

:E[n]xE(L)/nE(L)^», (P,Q) ^ e^P.Q) 3 ^ = MQ) 2 ^ (11) 

(for P, Q ^ 0, P Q) is an equivalent pairing with the same properties as the Tate pairing 
itself. 

It is not generically possible to similarly replace the set E(L)/nE(L) from which the second 
argument is taken by E[n]. As an abelian group, E(L) is isomorphic to Z/nZ x Z/^Z with 
n | n I ?"2, and E(L)/nE(L) ~ Z/nZ x Z/nZ. Consider the homomorphism 

tp : E(L)/nE{L) -» E[n], Q^—Q. 

n 

This homomorphism is injective (and thus an isomorphism by cardinality considerations) if and 
only if gcd(^-,nj = 1. A sufficient (but not necessary) condition is that gcd(^,n) = 1, or 

equivalently gcd y ^2~^ , nj = 1; this is often satisfied in cryptography, where n is a large prime. 
Then the function 

e : E[n] x E[n] -> fx, (P, Q) = fp(Q) 3 ^ 1 

satisfies e(P, Q) — (P, ip~ 1 (Q))~^', and since powering by ^ induces a permutation on /i, it 
inherits the properties of the reduced Tate pairing. 



5 Computation 

The main ingredients of the Weil and the Tate pairings are functions with given divisors; an 
algorithm computing them is published in [Mil04] and has become known as Miller's algorithm. 
The basic idea is to have the tangent-and-cord law of i)2.1l not only reduce a sum of two points to 
only one point, but at the same time output the lines that have served for the reduction. Applied 
iteratively, it thus reduces a principal divisor to and returns the function having this divisor as 
a quotient of products of lines. The algorithm is applicable to any principal divisor, but we only 
present it for the case of nD = n[P] — n[0] where P is an n-torsion point, which can be used for 
computing the Weil pairing via ([7]) and the (reduced) Tate pairing via © or ([TU]) and (|TT|) . 

Definition 10 Fori g Z, let fi t p be the function (monic atO) with divisor i[P] — [iP] — (i — l)[&\. 

The function f^p exists by Theorem [1] Notice that f\ p = 1 and f n p — fp. The tangent- 
and-chord law, applied to iP and jP, shows that 

fi+],P — fi,pfj,P tP ' jP (12) 



11 



with £, v defined as in ([2]). ([T]) for i ^ —j (mod n), £ip.( n -i)p — «ip and = 1- Moreover, 

f 1 

J-i,P — 7 ■ 

Ji,PViP 

These observations yield the following algorithm: 
Algorithm 11 

Input: An integer n and an n-torsion point P 
Output: £ and v, products of lines, such that fp = - 

(a) Compute an addition-negation chain n, . . . , r s for n, that is, a sequence such that r± = 1, 
r s — n and each element Ti is either 

• the negative of a previsously encountered one: There is 1 ^ < i such that 
n = -rj(i); or 

• the sum of two previously encountered ones: There are 1 ^ ^ k(i) < i such that 

T i = r j(i) + r Hi)- 

(b) Pi <- P, L x <- 1, Vy <- 1 

(c) for i = 2, . . . , s 

j <- j(i),k k(i) 
if ri = -rj 

Pi <- -Pj 

Li <- V 3 

Vi <- L j vp i 
else 

Pi <- Pj + P k 

Li *- LjL k £p mi p hm 

Vi <- ^ Vfcwp 

(d) return £ — L s , v = V s 

Throughout the loop, we have Pi — r(i)P and ^ = / r (j),p, which proves the correctness of 
the algorithm. The numerator I and the denominator v are computed separately to avoid costly 
divisions in a direct computation of fp. Memory handling of the algorithm is simplified if the 
standard double-and-add addition chain is used, in which = 2r^_i or rj = rj_i + 1, so that 
the result can be accumulated in two variables I and v, sec |Gal05, Alg. IX. 1]. 

For a reasonable addition- negation-chain of length s € O(logn), the algorithm carries out 
O(logn) steps. Unfortunately, the degrees of Li and Vi grow exponentially to reach 0(n). This 
problem can be solved in two ways: Instead of storing Li and Vi as dense polynomials, store 
them in factored form as a product of lines. This may make sense if several pairings with the 
same P are computed. 

Otherwise, if fp(E) is sought for a divisor E, one may compute directly Li(E) and Vi(E) 
during the loop, thus manipulating only elements of the finite field L; one should then separate 
again according to the points with positive or negative multiplicity in E to avoid divisions. This 
approach fails when E contains any of the points Pi — r(i)P encountered during the algorithm, 
which will then be zeroes of some of the lines. The solution given in |Mil04) is to work with the 
leading coefficients of the lines with respect to their Laurent series in local parameters associated 
to the points in the support of E (analogously to Definition [5]) . Alternatively, one might regroup 
quotients of consecutive lines having Pj as zeroes and replace them (by working modulo the curve 
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equation) by a rational function that is defined and non-zero in Pi. Both approaches are not 
very practical, since they replace simple arithmetic in a finite field by more complicated symbolic 
algebra. A simpler technique is to replace the divisor E by an equivalent divisor not containing 
any of the Pi in its support, and using ([8]) and (0; the price to pay is that E then contains 
at least two points instead of only one in J7]) and (ITU1) . Concerning the Tate pairing, since the 
second argument Q is defined only up to n-th multiples, one may replace it by Q + nR for some 
point R. Finally, one may simply use an addition-negation chain avoiding the support of E. 
Since any addition chain necessarily passes through 2, it may be necessary to use negation if E 
contains 2P in its support. 

The reduced Tate pairing (fTTT) is usually faster to compute than the Weil pairing ([7j): It 
requires only one instead of two applications of Algorithm [TT] On the other hand, the advantage 
is partially lost through the final exponentiation in the reduced Tate pairing. 

6 Pairings on cyclic subgroups 

All supposedly hard problems on which pairing-based cryptographic primitives rely can be broken 
by computing discrete logarithms arbitrarily in E[n] or the group fj, of n-th roots of unity in the 
embedding field L. So algorithms using Chinese remaindering for discrete logarithms imply that 
n = r being prime is the best choice. Then E[r] is a group of order r 2 isomorphic to Z/rZx Z/rZ. 
For the sake of security proofs, it may be desirable to restrict the Weil and reduced Tate pairings 
to subgroups, yielding pairings 

e : G\ x G 2 — > [i C L 

on cyclic groups Gi C E[r] of prime order r. In practice, there is no definite need for such a 
restriction: The choice of points when executing the protocol (for instance, by hashing into E[r]) 
implicitly defines cyclic subgroups Gi generated by these points; but the subgroups change with 
each execution of the algorithm. Notice, however, that some optimised pairings (see Sj7]can only 
be defined on specific subgroups, which are reviewed in the following. An exhaustive description 
of the cryptographic properties of different subgroups is given by Galbraith, Paterson and Smart 
in |GPS08j . We retain their classification into type 1, 2 and 3 subgroups respectively pairings 
and concentrate on the main characteristics of the different choices. 

For the sake of computational efficiency in Algorithm [TTJ it is desirable that G\ and Gi be 
defined over fields that are as small as possible. So the curve E(K) is chosen such that r \ #E(K), 
and G\ is generated by a point of order r defined over K. As usual in cryptography, we assume 
that k 2. Then G\ is defined uniquely as E(K)[r], and the pairing types differ in their selection 
of Gi . An important cryptographic property that may or may not be given is hashing into the 
different groups, or the (essentially equivalent) possibility of random sampling from the groups. 
It is a trivial observation that if H : {0, 1}* — > {0, . . . , r — 1} is a collision-resistant hash-function 
and Gi = (Pi), then Hi : {0, 1}* — > Gi, m H> H(m)Pi, is also collision- resistant. But Hi reveals 
discrete logarithms, which breaks most pairing-based cryptographic primitives. A comparatively 
expensive way of hashing into G\ is to first hash into a point on E(K) (by hashing to its X- or 
^-coordinate and solving the resulting equation for the other coordinate; if no solution exists, one 
needs to hash the message concatenated with a counter that is increased upon each unsuccessful 
trial) . One may then multiply by the cofactor h = ^ E< ^ K ^ , which yields a point in G\ . A similar 
procedure hashes to arbitrary r-torsion points, but these need not lie in the fixed subgroup Gi- 
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6.1 Type 1: G x = G 2 



Most of the early papers on pairing-based cryptography are formulated only for the case of a 
symmetric pairing, in which Gi = G\. However, it is in fact not possible to simply choose the 
arguments of the pairings of §<JJ] and H] from G2 = G\, since then the pairing becomes trivial. 
This is clear for the Weil pairing from Theorem H^b), but also holds for the reduced Tate pairing: 
Algorithm [11] implies that the result lies in the field K over which both arguments are defined, 
but KHfi — {1}. A symmetric pairing may be obtained for supersingular curves with a so-called 
distortion map, an explicit monomorphism ip : E(K)[r] — > E[r]\Gi. The non-degeneracy of the 
Weil pairing then implies that 

e : G x x G x -> /*, (P, Q) ^ e r (P, ip(Q)) 

is also a non-degenerate pairing; the same usually holds for the reduced Tate pairing. 

Algebraic distortion maps cannot exist for ordinary curves, whose endomorphism rings are 
abelian. So if ip were a rational map and thus an endomorphism, it would commute with the 
Frobenius, and the image of G\ C E(K)[r] would again lie in E(K) and thus be equal to G\. 

Conversely, supersingular curves have a non-abelian endomorphism ring, and it has been 
shown by Galbraith and Rotger in [GR04 ( Th. 5.2] that they always admit an algebraic distortion 
map coming from the theory of complex multiplication (cf. |Deu41j ) as long as r 5; the same 
article describes an algorithm for explicitly determining such a map. It is well-known that 
supersingular curves with k = 2 admit particularly simple distortion maps, namely, 

i>(x,y) = (~x,iy) (13) 

for E : Y 2 = A 3 + A over F p with p = 3 (mod 4) and 

*(>(x,y) = (£»*»») (14) 

for E : Y 2 = A 3 + 1 over ¥ p with p ^ 5 and p = 2 (mod 3), where (3 and i are primitive third 
and fourth roots of unity, respectively, in F p 2 . 

If the A-coordinate of ip is defined over K (for instance, in (fl~3)) . but not in (TT4)) ). it is observed 
in [BKLS02 that the computation of the reduced Tate pairing 

e(P,Q) = e?(P,V(Q)) = /pW>(Q))^ by (ED 

can be simplified by omitting denominators. Indeed, notice that if a pure addition chain (without 
subtractions) is used, the denominator v returned by Algorithm [TT] is a polynomial in AT [A] not 
involving Y; since X(ip(Q)) £ K, the value v(Q) disappears through the final exponentiation. 

The main drawback of type 1 pairings is the lack of flexibility of the embedding degree k: 
Since it is limited to supersingular curves, we have k ^ 2 for curves over fields of characteristic 
at least 5, k ^ 4 over fields of characteristic 2 and k ^ 6 over fields of characteristic 3 by jWat69, 
Theorem 4.1]. 

6.2 Type 2: G 2 ^ G x 

The pairing is of type 2 when there is an efficiently computable monomorphism ip from G2 to G\ . 
In some sense, this is the converse of type 1, where there is a non-trivial monomorphism from G\ 
into another r-torsion group. This case, however, is essentially the generic one and available in 
supersingular and ordinary curves alike. Let tt : (x, y) > (x q , y q ) be the Frobenius endomorphism 
related to the field extension L/K = V q k/¥ q . Then K(E) is fixed by tt or, otherwise said, G\ 
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are the r-torsion points that are eigenvectors under 7r with eigenvalue 1. Hasse's theorem then 
implies that the r-torsion of E is generated by one point P with eigenvalue 1 and another point 
Q with eigenvalue q. We now consider the trace defined as a map on points by 

fc-i 

Tr :E(L) -> E(K), Rt-t^K**. 

i=0 

Since the trace of a point is invariant under n, it is indeed a point defined over K. We have 
Tr(P) = kP =/= in a cryptographic context, where r is much bigger than k, and Tr(Q) = 

Q + qQ H h q k ~ x Q = 3 ^-Q = since the order r of Q divides q k - 1, but not g - 1. If R 

is any r-torsion point, then R = aP + bQ, Tr(i?) = akP and Q' = kR - Tr(i?) = fc6Q e (Q). 
Unless R <G (P), in which case Q' = 0, the element Q' is thus a generator of (Q), which can be 
found efficiently by a randomised algorithm. 

Let R be an arbitrary r-torsion point that is a pure multiple of neither P nor Q (which can 
be checked using the Weil pairing; in practice, a random r-torsion point satisfies this restriction 
with overwhelming probability). Let G2 = (R), and tp = Tr. 

The existence of ip reduces problems (for instance, the discrete logarithm problem or the 
decisional Diffie-Hellman problem) defined in terms of G2 into problems defined in terms of 
Gi, which may be helpful for reductionist security proofs. But as usual, the existence of addi- 
tional algebraic structures (here, the map ip) raises doubts as to the introduction of a security 
flaw. Furthermore, hashing or random sampling in G2 appears to be impossible, except for the 
trivial approach revealing discrete logarithms. Recent work by Chatterjee and Menezes [CMllj 
introduces a heuristic construction to transform a cryptographic primitive in the type 2 setting, 
together with its security argument, into an equivalent type 3 primitive. Thus, type 2 pairings 
should probably be avoided in practice. 

6.3 Type 3 

The remaining case where there is no apparent, efficiently computable monomorphism G2 — > G\ 
is called type 3. In the light of the discussion of H6.2[ this implies that 

G 2 = {Re E[r] : R* = qR} 
= {R £ E[r] : Tr(P) = 0}. 

The previous discussion has also shown how to find a generator of G2. Hashing into G2 may be 
accomplished in a similar manner: Hash to an arbitrary point R £ E[r], and define kR — Tr(P) 
as the final hash value. 

7 Loop-shortened pairings 

Subsequent work has concentrated on devising pairings with a shorter loop in Algorithm 111! 
generally starting from the Tate pairing (|10j) . It turns out that in certain special cases, 

e(PQ) - fx,p(Q) ^ e(P,Q) - f x , Q (P) 

define non-degenerate, bilinear pairings for A -C n, where f\p is defined as in Definition 1101 The 
proof proceeds by showing that the pairing is the M-th power of the original Tate pairing for 
some M prime to n. Cryptographic applications may then directly use the new pairing, or, for 
the sake of interoperability, the Tate pairing may be retrived by an additional exponentiation 
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with M~ l mod n. The hrst such pairing, called rj pairing, was described by Barreto, Galbraith, 
O'hEigeartaigh and Scott in [BGOS07] . It was limited to supersingular curves and thus yielded 
a type 1 pairing (see ij6. 1|) . The examples in [BGOS07 show that A ~ y/n is achievable in 
supersingular curves over fields of characteristic 2 and 3. 

In the remainder of this section, we fix the same setting as in In particular, n = r is prime. 
All pairings will be defined on G\ x G2, where G\ = E(K)[r] and G2 is the set of r-torsion points 
defined over L = ¥ q k with eigenvalue q under the Frobenius tt : (x,y) <— > (x q ,y q ). This is crucial 
for the proofs, and incidentally leads to type 3 pairings. 

Lemma 12 Let P e E[n\. If N is such that n | N \ q k — 1, then 

r rN/n 

JN,P - J n<P ■ 

If N is such that n | N, then 

fN+l,P — /jV.P- 

Both properties hold by definition; the first one was used in |GHS02I §6] to speed up the 
computation by replacing r with a small multiple of low Hamming weight. 

7.1 Ate pairing 

The ate pairing is defined in HSV06, Theorem 1] as 

e*:GixG 2 ^ L*/{L*f, (P, Q) ^ f T>Q (P) (15) 

with T = t— 1. 

Theorem 13 is bilinear, and if r 2 \ T k — 1, it is non-degenerate. More precisely, 

For the ate pairing and all other pairings presented in the following, a reduced variant with 
unique values in /1 C L* is obtained as in (jllj) by raising to the power 9 ~ . 
Proof of Theorem I13t The crucial step is the observation that for any A, 

h,T*Q °k % = fx^Q o tt 1 since T = q (mod r) 

= f\,v*(Q) tt s since Q e G 2 

- f( Q > (16) 
since the coefficients of the rational function fx,Q can be expressed in the coefficients of Q and 
of the curve, and the latter lie in ¥ q . 

In particular for P e Gi and A = T, / TjT4Q (P) = f£ tQ (P). 



Then 

eJ(Q,P)^ = f 7 — (P) = / Tfc _ 1;Q (P) by Lemma HH 



= /r*,o(P) by Lemma [TJ since T k - 1 = q k - 1 = (mod r) 
fc-i 

= IT fr, Ti Q ^) ky comparing divisors and collapsing 

i=0 

the telescopic sum 

Y^fc — 1 rpk — l-i i 

= fT,o° (P) b y © 



<T,Q 

= e^(P, Q) kqk ^ in L*/(L*) r , since T = q (mod r). 
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□ 

By Hasse's theorem, T e 0{J~q), so that the number of operations in Algorithm [TT1 drops 
generically by a factor of about 2; the effect can, however, be much more noticeable for certain 
curves. For instance, |FST10] describes a family of curves for k — 24 with r € 0(g 4 / 5 ) and 
T G 0(9 1/10 ) = Oir 1 / 8 ). Notice that 8 = i/>(24), cf. jLl A price to pay is that the arguments P 
and Q are swapped: The elliptic curve operations need to be carried out over ¥ q k instead of ¥ q . 
(Algorithm[TT]in this context is sometimes called "Miller full", while the more favourable situation 
is called "Miller light".) 



7.2 Twisted ate pairing 

The twisted variant of the ate pairing keeps the usual order of the arguments, but sacrifices on 
the loop length. 

Assume charF g ^ 5, and let d — gcd(/c, # Aut(E)) and e = §. Then there is a twist E' 
of degree d of E, that is, a curve E' defined over ¥ q with an isomorphism ip : E' E, which 
is defined over ¥ q d . It can be given explicitly as follows for E : Y 2 = X 3 + aX + b in short 
Weierstrafi form, see [SUMl §X.5.4]: 

' Dx,VD 3 y 



d=2: 


E> 


:Y 2 


= X 3 - 


I- D 2 aX + D 3 , 


ip(x,y) = 


d = 4: 


E' 


:Y 2 


= X 3 - 


\-DaX, 


tp(x,y) = 


de {3,6} : 


E' 


:Y 2 


= X 3 - 


^Db, 


ip(x,y) = 



Dx, y/Dy 

where D is a non-square in ¥ q for d € {2,4}, a non-cube and square for d — 3, and a non-cube 
and non-square for d = 6. The formulae make sense since for d = 4, we have 6 = and q = 1 
(mod 4), while for d € {3, 6}, we have a = and q = 1 (mod 3). Up to isomorphism over ¥ q , the 
twist is unique for d = 2, and there are two different ones for d € {3, 6} (such that gD or g 2 D, 
respectively, is a cube for g a generator of F*) and d = 4 (such that gD or (? 3 -D, respectively, 
is a fourth power). One can then show, see [HSV061 §§4-5], that besides E itself there is a 
unique twist E' of E, defined over ¥ q e, such that r | #E'(¥ r ). (This uses that r 2 \ #E(F q ).) 
If G" 2 = E'(¥ q e)[r], then G*2 = ip(G' 2 ). In particular, the X-coordinates of the points in Gi lie 
in ¥ q k/2 for d even, and the F-coordinates lie in ¥ q k/s for 3 | d. 
The twisted ate pairing of [HSV061 §VI] is defined by 

e}:G x xG 2 ^ L*/(L*) r , (P, Q) ^ fr-AQ)- ( 17 ) 

Let 7r' : (a;, y) >-> (x q ,y q ) be the Frobenius of E', and let the endomorphism a of E be defined 
as a — ip o (tt'Y o ip^ 1 . Then a|c 2 = a|^(G^) — id, ol \d — id, and thus a{G\) C Gi. Since 
is an isomorphism and deg((7r') e ) = q e , this implies that (x\g x is multiplication by q e . So a 
behaves similarly to the Frobenius endomorphism, but with the roles of G\ and Gi reversed 
and of degree q e instead of q: Gi is the eigenspace of eiganvalue 1, and G\ is the eigenspace of 
eigenvalue q e . The same proof as for Theorem 1131 thus carries through after replacing 7r by a, q 
by q e , T by T e and k by d. 

Theorem 14 is bilinear, and if r 2 \ T k — 1, it is non-degenerate. More precisely, 

Generically. one has T e = T k l d G O (q fe A 2d )) ; as soon as k > 2d, so certainly for k > 12, the 
loop becomes larger than for the standard Tate pairing, which has the same order of arguments. 
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7.3 Optimal pairings 

The discovery of the ate pairing based on a function /a,q, where A = T is not a multiple of 
the order of Q , raised the question of further possible values for A, and on the possibility of 
minimising the loop length log 2 A. (Strictly speaking, the loop length in Algorithm [TT1 depends 
on the addition-negation chain; [log2 AJ measures the number of doublings in a standard double- 
and-add chain.) 

For i = 1, . . . , k — 1, Zhao, Zhang and Huang define in [ZZH08 the ate^ pairing by 

: Gi x G 2 -> L*/(L*) r , (P, Q) * fa mod r , Q ( P )- ( 18 ) 

For a curve with an automorphism of order d \ k and e = k , a twisted version may be defined 
for i = 1, . . . ,d — las 

e** : d x G 2 -> r/(LT, (P, Q) h- / T „ mod ^ P (Q). 

Their bilinearity and non-degeneracy (if r 2 { T lk , where fc' = gcd ( fc ^ is the order of T % modulo r) 
is proved as in Theorems IT51 and RH1 after replacing ir by tt 1 or 7r' by (tt') 1 , respectively. 

In [LLP 09 . for the first time two such pairings were combined: If t\ = tgXi + Xq and ft ,Q 
and fti.Q define powers of the Tate pairing eJ(Q, P), then so does 

p e ^t \iQ,\aQ |- in \ 

JX 1 ,t QJXo,Q , (lyj 

v tiQ 

called the R-ate pairing. The proof relies on the equation 

ft Xi,Q = fto&hutaQ' ( 20 ) 
which is readily verified by comparing divisors, so that (I19D equals the pairing-defining function 
fti.Q.ftoQ ky US)- Non-degeneracy holds as soon as the exponent with respect to the Tate 
pairing, readily computed from the previous equation, is not divisible by r. The added loop 
length in the computation of (fill)) is log 2 (Ai) + log 2 (Ao). Since the computation of fx 1 .t Q an d 
f\ Q by Algorithm I 111 finishes with to\iQ and AoQ, the correction factor is obtained as the 
quotient of lines from adding these last two points. Additionally, toQ needs to be computed 
(which can be done in parallel with Algorithm II II for /a .q if an addition- negation sequence 
passing through both Ao and to is used), and an exponentiation with Ai is needed, which will 
usually be negligeable compared to the final exponentiation for obtaining reduced pairings. 

Several examples of curve families are given in [LLP09] with to, t\ a power of T and Ao, 
Ai e O (r 1 /^)). That this is no coincidence has been shown by Hefi in |Hes08] and Vercauteren 
in [VerlOj . who defined more general pairing functions, leading to a notion of optimiality that 
reaches this quantity O fr 1 /*^). 



7.3.1 Hefi pairings 

Theorem 15 QHes08], Theorem 1) Let t — X^=o* ^ ^\X\ an< ^ V a primitive k-th root 
of unity modulo r 2 such that r | t(y). Let ft,y,Q be the function, monic at 0, such that 

dcgt 

div(/t lW ,g) = E ** ~ [°0 • ( 21 ) 

i=0 

Then the Hefi pairing 

ef : Gi x G 2 L*/(L*) r , (P, Q) hy, Q (P) (22) 
is bilinear and, if r 2 \t{y), non- degenerate. 
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Proof: Let t(y) — rL, and rewrite as 

deg t dcg £ / dcg t \ 

Mft,y,Q) = E ^[Q] ~ E *< ~ M) -(£*•• + 1 ) [°]' 

i=0 i=0 V i=0 / 

which implies that 

dcgt 

ft,y,Q = fr,Q II (fy\Q) * ' 
i=0 

Since q is a primitive k-th. root of unity modulo r, we have y = q 3 (mod r) for some j, and 
y l = q %3 (mod r). The same proof as for the ate (or atei) pairing, with y l in the place of T 
and tt 13 in the place of it, shows that 

J% (P) = eJ(Q, P)^ = 1 since r 2 | y k - 1. 

Since r { kq k ~ 1 , we have /j,*,q(-P) = 1. So ej 3 = (e^F) L is bilinear, and non-degenerate for r { L. 

□ 

Remark 16 T/ie condition that y be a primitive k-th root of unity modulo r 2 is clearly not 
necessary. If y is a root of unity modulo r, then the previous proof carries through, showing that 
ej? is bilinear. More precisely, {e^) kq = (eJ) N with 

N = kq k -'M E — - - (kq k ~h{y) - (tfc,*) - *(!))) , 

i=o r r 

so that is non-degenerate if and only if r \ kq k ~ 1 t(y) — (t(y k ) — t(l)). This should hold with 
overwhelming probability. For instance, one can usually choose y = T = q mod r. 

Since y is a fc-th root of unity modulo the order r of Q, any function as in (I21[) is realised 
by a polynomial t of degree at most <f(k) — 1. Those with a root in y modulo r can be seen as 
elements of the Z-lattice with basis r, Y — y, Y 2 — (y 2 mod r), . . . , yv( fc ) _1 _ (y^W -1 ) mod r of 
dimension <p(k) and determinant r. For fixed dimension, the LLL algorithm finds an element t 
of degree at most tp(k) — 1 and with |tj| G O (r^W). 

There is a twisted variant of the Hefi pairing: If E has a twist of order d \ k and e = y is 
a d-th root of unity modulo r and r | then 

ef:GixG 2 ^ L*/(L*) r , (P, Q) ^ ft.yAQ) 

defines a bilinear pairing that is non-degenerate if y is a primitive ci-th root of unity modulo r 2 
or, more generally, if r 2 \ dq e ^ d ~ 1 H(y) — (t(y d ) — t(l)). Using LLL, one obtains a polynomial of 
degree less than ip(d) and with |tj| e O {r 1 ^^). The only cases of interest are d e {3,4,6}, 
for which ip(d) = 2. Even then, there is only a constant gain in the loop length that does not 
increase with k, so that asymptotically, the Hefi pairing will be preferred to its twisted version. 
Finally, Hes08 also contains an optimal version of the Weil pairing. 

To see whether ((22)) can be computed efficiently, let R t — y l Q, Sj = J2]=o A?^ anc ^ Si — 
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s iQ — Ej=o f° r * ^ and s_i = and S_i = 0. Then (j2"2")l can be rewritten as 



and 



dogt 

2 = 

degi degi 

£di V (/ ti)iii )+x;([tA-]-[o]) 

i=0 £=0 
degi dcg t , 

£ div(/ tiliii ) + £ I [Si] - + div 

i=0 i=0 ^ 



dcgt dcgt ^ 



VSt 



i=0 i=0 °* 

The precomputation of the i?^ by deg t—1 scalar multiplications can already be rather costly. As 
URi is a sideproduct of the computation of fti,Ri , each quotient of two lines comes out of a point 
addition on E{L). But by computing each ft^Ri separately via Algorithm [TTl the factor tp(k) 
gained in the loop length is lost again through the number of evaluations. So while it is shown in 
Hcs08] Lemma 1] that the Hefi pairing uses a function of relatively low degree in O (r 1 /^), it 

is unclear whether this function can always be evaluated in ^rc^ steps or a very small multiple 
thereof. 

7.3.2 Vercauteren pairings 

If one removes the condition that y be a primitive fc-th root of unity modulo r 2 in the Hefi pairing, 
one may let y = q under the conditions of Remark 1161 a special case considered independently 
by Vercauteren in jVerlOj . Then the Ri may be computed by successive applications of the 
Frobenius map, and moreover, 



fu, Rl (p) = fu,MP) - fi, Q (p) by ma. 

These functions have the advantage of being computed by Algorithm [11] with respect to the same 
base point Q. By choosing an addition- negation sequence that passes through all the U, they 
may thus be obtained at the same time. Currently known algorithms compute such sequences 
with log 2 N + (p(k)O ( lo 'g f Q g N ) steps, where N — max \ti\, for instance by |Yao76j . This shows 

that, up to the minor factor log log AT, again the gain of <p(k) in the loop lengths is offset by the 
number of functions. One should notice, however, that better addition sequences can often be 
found in practice. Moreover, coefficients occurring in a pairing context are far from random, but 
exhibit arithmetic peculiarities, as illustrated in the next paragraph. 



7.3.3 Optimal pairings on curve families 

Elliptic curves suitable for pairing-based cryptography, that is, with a small embedding degree k, 
are extremely rare among all elliptic curves, see |Boxl 2 . An excellent survey article on the 
problem of finding good parameter combinations is F STlOj . so there is no need to give any 
details here. Starting with the article by Brezing and Weng [B W05] . work has concentrated on 
finding families of curves parameterised by polynomials. For fixed k, these are given by p(X), 
r(X) and u(X) E Z[X] satisfying arithmetic properties so that if xq € Z such that p(xq) is 
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prime, then there is an elliptic curve over ^ p ( Xa ) with trace of Frobenius u(xq) and a subgroup 
of order r(xo) of embedding degree k. Concrete instances are thus given whenever p(X) and 
r(X) simultaneously represent primes. In practice, one has deg(p(X)) — <p(k) or 2ip(k), and the 
polynomials tend to have small and arithmetically meaningful coefficients (for instance, they are 
often divisible by prime factors of k). 

As an example, Freeman gives a family in [FreOGj Theorem 3.1] for k = 10 with 

p(X) = 25X A + 25X 3 + 25X 2 + 10X + 3, 

u(X) = 10X 2 + 5A + 3, 

r(X) = 25Y 4 + 25X 3 + 15X 2 +5X+1. 

To construct optimal pairings, one may now work directly with polynoials instead of inte- 
gers, looking for short vectors in the Z[A]-lattice with basis r(X),Y — y(X),Y 2 — (y(X) 2 mod 
r(X)), Y v(k) - [y{xyM mod r{X)). 

In Hefi's construction of £)7.3.11 y(X) is hereby a primitive k-th. root of unity modulo r(X) 2 ; 
notice that r{X) is necessarily irreducible since it represents primes. 

For Vercauteren's specialisation of ^7.3.2[ one has y(X) = p(X), and the above family leads 
to a short vector (see |VerlOI §IV.B]) 

t(Y) = XY Z + XY 2 -XY-(X + 1), 

This means that whenever p(xo) and r(xo) are prime for some xq € Z, then we obtain a curve 
and an optimal pairing in which the computation of the fti{x ),Q boils down to f Xo .Q ■ Notice 
that Xq i=3 r{xo) 1 ^ dc s r ( x ) — r{xo) 1 ^ iptylo \ and in this family, the gain of a factor of tp(k) in each 
invocation of Algorithm [TT] leads indeed to a corresponding speed-up in the complete function 
evaluation. 
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